package net.zhnb.controller;

import java.io.PrintWriter;
import java.util.Enumeration;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import net.zhnb.util.Constants;

import org.springframework.web.servlet.HandlerInterceptor;
import org.springframework.web.servlet.ModelAndView;

public class SystemInterceptor implements HandlerInterceptor {

	@Override
	public void afterCompletion(HttpServletRequest arg0,
			HttpServletResponse arg1, Object arg2, Exception arg3)
			throws Exception {
	}

	@Override
	public void postHandle(HttpServletRequest arg0, HttpServletResponse arg1,
			Object arg2, ModelAndView arg3) throws Exception {
	}

	@Override
	public boolean preHandle(HttpServletRequest request,
			HttpServletResponse response, Object handler) throws Exception {

        request.setCharacterEncoding("UTF-8");  
        response.setCharacterEncoding("UTF-8");  
        response.setContentType("text/html;charset=UTF-8");  
        
		//后台session控制
        String[] noFilters = new String[] { "login", }; //后台这此页面不需要检验session
        String uri = request.getRequestURI();
        
        if (uri.indexOf("/admin/") != -1) {
        	boolean beFilter = true;
            for (String s : noFilters) {
                if (uri.indexOf(s) != -1) {
                    beFilter = false;
                    break;
                }
            }
	        if (beFilter) {
	            Object obj = request.getSession().getAttribute( Constants.ADMIN_SESSION_KEY );
	            if (null == obj) {
	                // 未登录  
	                PrintWriter out = response.getWriter();
	                StringBuilder builder = new StringBuilder();
	                builder.append("<script type=\"text/javascript\" charset=\"UTF-8\">");
	                builder.append("alert(\"页面过期，请重新登录\");");
	                builder.append("window.top.location.href=\"");
	                builder.append(Constants.URL);
	                builder.append("/admin\";</script>");
	                out.print(builder.toString());
	                out.close();
	                return false;
	            }
	        }
        }
		if(request.getMethod().toUpperCase().equals("GET")){//只针对get请求
			Enumeration<String> names = request.getParameterNames();
			while (names.hasMoreElements()) {
				String name = names.nextElement();
				String[] values = request.getParameterValues(name);
				for (int i = 0; i < values.length; i++) {
					if (values[i].toUpperCase().indexOf("SELECT")>0||values[i].toUpperCase().indexOf("DELETE")>0
						||values[i].toUpperCase().indexOf("UPDATE")>0 ||values[i].toUpperCase().indexOf("INSERT")>0
						||values[i].toUpperCase().indexOf("OR")>0 ||values[i].toUpperCase().indexOf("AND")>0
						||values[i].toUpperCase().indexOf("'")>0 ||values[i].toUpperCase().indexOf("=")>0) {
						response.setContentType("text/html;charset=utf-8");
						response.getWriter().print("请不要尝试注入,如果检测到你有多次注入的动作,我们会保留报警的权利,你的ip地址是:["+request.getRemoteAddr()+"],谢谢合作!<br><a href='#' onclick='history.go(-1)'>返回</a>");
						return false;
					}
				}
			}
		}
		return true;
	}
}